Free Trial
Contact Us
Podcast

Root Causes 362: When You're Attacked by a State Actor

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
February 13, 2024

In this episode we share the details of a recent nation state actor attack on Microsoft and some of the lessons learned.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanWe are looking at a blog post from Microsoft Threat Intelligence. The date is January 25, 2024, and the headline of the blog post is Midnight Blizzard: Guidance for Responders on Nation State Attack. And well, what went on here, Jay?
Jason SorokoJason SorokoYeah. Look, ultimately what happened was some bad guys were able to get into Office 365 right within Microsoft. And it's happened at other places. If you are following the news, this is now just the latest version of, the latest victim, of what has been a repetition of these kinds of attacks.

But I think what is really interesting here, Tim, is I think there is some homework. I think that there is some very low hanging fruit. And I think that there's a big lesson here. A lot of this we've talked about before, but it's always good to rethink about these things and realize, even a company the size of Microsoft has not completely locked themselves down. And you know, Tim, I still talk to sometimes large enterprises, small enterprises, and a lot of them think, well, this is covered my security team has got this. Well, no, you probably don't. So there's lessons to be learned. So let's do it. Let's go through it.
Tim CallanTim CallanOk. Let’s do it. Let's go through it. All right.
Jason SorokoJason SorokoHow did the bad guys get in? Right? This is the Root Causes podcast. Let's get into the root cause. Tim, it's passwords.
Tim CallanTim CallanOk. Passwords. Those bugbears? So tell us. So what happened?
Jason SorokoJason SorokoThe entry point was a legacy nonproduction tenant server - this is in Microsoft’s words - that did not have multifactor authentication enabled.

So the bad guy used a spray and pray type of attack. This is according to Microsoft. And were successful in compromising this nonproduction tenant server. And you know, there's some things, there's a few things there. One is passwords, guys. Passwords. Right?
Tim CallanTim CallanUh-huh.
Jason SorokoJason SorokoPasswords. And we could repeat that over and over and over again. But I think also, I think, for everybody, do your security teams obsess over your production systems, and do your IT teams obsess over the uptime over those systems? Because I guarantee that's what happened here at Microsoft and I guarantee that’s what's happening for everybody who is listening to this podcast.

Basically, one of these servers that was just sitting off on the side, you know, it’s probably a server from back in the day even before MFA was implemented, or even available, and it was just forgotten about, and well, who cares about that server. And, you know, guys, bad guys know how to do lateral attacks. Even if you don't have the skills the bad guys do. So if you're putting a system that's publicly, it's publicly exposed to the internet, that does not have a more advanced form of authentication, and you expect that the bad guy cannot figure out security through obscurity, how to move laterally, and, you know, develop the privileges within that environment to be able to walk around, these are big, big mistakes that, as you can see, even Microsoft makes. And look, this blog is great. Microsoft is being fully open in what's happened here. They completely opened the kimono, and it's for all of us to learn. I highly recommend everybody read this. But guys, that's the lowest hanging fruit right there.
Tim CallanTim CallanYeah. Yeah. And so I see a lot of mention of OAuthin this particular article.
Jason SorokoJason SorokoYeah. Quite a bit of that. And so let's talk about lateral movement. Let's talk about the context.
Tim CallanTim CallanOk.
Jason SorokoJason SorokoSo here's one important factoid that was mentioned here, which is the bad guys are using what I used to call fast-flux networks.

And now, you know, what they're calling it here, basically, is the utilization of residential proxy networking, right. Residential proxy, which basically means that the bad guy is coming in at a whole pile of different IP addresses. So if you're attempting to block list based on IP addresses, forget about it. You're not helping yourself. If you think that that's some form of defense, I got news for you, the bad guys, especially, especially the nation state attackers that, you know, from the jurisdiction, these guys are specialists in being able to swap their IP addresses very quickly. And so this was part of how the bad guys were able to obfuscate in their lateral movements.

But I would say that the rest of the story, you know, there's a lot of really good technical information, things you should be listening to in that blog but it really comes down to context is everything. And so you gotta ask yourself the soul searching question - is your network or other computer systems too trusting, too open and allows too many conditions? Let's talk about OAuth for a sec, Tim.
Tim CallanTim CallanOk.
Jason SorokoJason SorokoWhat happens if on your network, you are allowing new OAuth applications to be created? What happens if those new OAuth applications are also permitted to access multiple email systems? Email accounts, for example.
Tim CallanTim CallanOk?
Jason SorokoJason SorokoWhat happens if these OAuth applications are able to create their own new users? Are any of these conditions valid in your enterprise? Well, the answer might be yes. We'll talk about that in a moment. For those of you where the answer is no - well, for heaven's sakes, shut down those capabilities.
Tim CallanTim CallanRight.
Jason SorokoJason SorokoAnd the Microsoft blog does a really good job of talking about, you know, what are the settings? What are the configurations to help to shut down those things? Perfect. Because ultimately, you're too trusting? And why are you too trusting? It's because most of the people who set up these systems, Tim, are IT administrators, and what do IT administrators like? Uptime? And what do IT administrators also like? Convenience. I want to be able to do what I want to do, and just do it and go do it. Well, the problem is convenience for IT administrators means convenience for the bad guys. Sorry to say, but that's the truth.
Tim CallanTim CallanSure. You bet.
Jason SorokoJason SorokoAnd so yes, yes, I know, the term OAuth, was thrown around about 100 times, right? I'm exaggerating, but it feels like it. But this is really where it came down to - Are you allowing the creation of new OAuth applications? Can those OAuth applications do all kinds of highly privileged things? I would argue no way, right? That should go through some sort of change management. So, in other words, if you happen to see a new one pop up, it either means you have to scold somebody in your department. No big deal, right?
Tim CallanTim CallanRight.
Jason SorokoJason SorokoIf it's legitimate, but ungoverned activity, fine. It's a quick reminder, hey, don't do that. You know, you catch it, and you remind the person. But if you catch it, and it happens to be cozy bear or you know, well, then you've actually stopped an attack. And in this case, it didn't stop the attack, because the system was too too convenient for the IT administrators. That's my take.

Now, obviously, the people at the very center of this could argue it. Hey, you know, get on the podcast, talk to us about it. But that's my take when I read the blog, Tim.
Tim CallanTim CallanOk. So what do we want to tell the average listener to go do differently now?
Jason SorokoJason SorokoMy biggest - my biggest, biggest piece of advice number one, is, first of all, go read that blog. It's really well written. Kudos to Microsoft. They've written a lot of great blogs, but this one's a good one and it literally tells you how - -
Tim CallanTim CallanIt’s packed with information. It's long. There's so much here. Yeah.
Jason SorokoJason SorokoIf you're an IT administrator, or you're involved in security at all, just go read it. Just go. That's the reason, in fact, why we're podcasting about it because it's one of these learning moments.

And again, I'm gonna point right back to what I talked about the beginning of the podcast, the lowest hanging fruit, go do it now. For the love of everything, go take inventory of all of your publicly exposed assets. What are the ones that have an authentication mechanism that is just passwords? Write those down on a piece of paper and ask yourself the tough question - can I mitigate this with a better piece of authentication Technology, A? or B, can I just shut it down? Do I really need this to be on? And then the other question is, ok, if all else fails, I can't shut it down, and I can't install a better technology, then you better be monitoring that system, because it's gonna get prayed and sprayed by cozy bear and other people you don't want in your network.
Tim CallanTim CallanRight. Yeah. And so like the initial entry point here - -
Jason SorokoJason SorokoIt comes down to that. Read the blog, take inventory of your most vulnerable systems and then you've got to learn about context, and allowing contexts. And you've got - - if you're the IT administrator, don't just go back home tonight and say to yourself, yeah, well, great. That's the security team's fault. They just have to deal with that. You got to ask yourself the question, is there something you can - - is there some capability that you can shut down in your network or in your applications or your OS configurations? You know your systems best. Are there some contexts of activity that you can shut down that you know won't stop you in your job? Make a list, grab a piece of paper, write those things down and then go do them. There's your homework.
Tim CallanTim CallanThere you go. Ok. All right. So let's just say the name of the blog one more time, in case you didn't remember from the beginning. It's from January 25. It's just from Microsoft. It's the Microsoft Threat Intelligence and it says, Midnight Blizzard Guidance for Responders on Nation State Attack. So there you go, Jason. Definitely a good read. And thank you for that summary.
Jason SorokoJason SorokoThanks, Tim.
Tim CallanTim CallanAll right. This has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud